GET-IT: TEAMS DAY | 1-Day Free Virtual Conference all about Teams. Here on Petri.com - 8/12/20 GET-IT: TEAMS DAY - 8/12/20

Applying ADGLP for NTFS permissions – need advice

Home Forums Server Operating Systems Windows Server 2008 / 2008 R2 Applying ADGLP for NTFS permissions – need advice

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    stephenmbell
    Member
    #162502

    I am not sure if this is the right forum – I thought it may also be relevant to security or Active Directory – but I will try here. I am aware of the ADGLP best practice when it comes to ADDS and NTFS permissions. I use this in my current environment. However, it is used sparingly – we have a fairly flat and “wide open” network when it comes to permissions. It was like this when I got here, and is a project to correct prior sins at some point in the future.

    That being said – I have a file server that is one of our main file shares. Our “G” drive if you will. I have just been asked to set up the following permission to a newly created folder:

    NewFolder
    —-SubFolder1


    N Subfolders / Files
    —-SubFolder2


    N Subfolders / Files
    —-SubFolder3


    N Subfolders / Files
    —-SubFolder4


    N Subfolders / Files
    —-SubFolder5


    N Subfolders / Files
    —-SubFolder6


    N Subfolders / Files
    —-SubFolder7


    N Subfolders / Files
    —-SubFolder8


    N Subfolders / Files

    What I am being asked is the following:

    A) For this particular folder, only Admins can have create / delete / move both folders and files (This is completed. I created a domain local group for this ACL_Server Path To Folder_Full Control, and then a Global security group ThisShare Admin and made it a member of the ACL_Server Path To Folder_Full Control. On the “NewFolder” (from above), I modifed the permissions to remove inheritable, and assign ACL_Server Path To Folder_Full Control group full control.

    B) There will be groups of people that will need access to one or more of the SubFolder(1-8). Maybe only 1, maybe more than 1. This access will allow them the ability to create, remove, edit files only. Nothing with folders or subfolders. So my question here is – using the ADGLP best practice, should I then create a domain local security group for each of these top level sub folders?? And then global security groups to go in each of these domain local security groups??

    C) I know of instance currently, but I am sure this will change where a small number of users need access to NewFolder–>Subfolder2–>SubfolderA – again, files only, no folder creation or deletion here. As with “B” – would I create a domain local security group for this (and any other sub-sub folders), and matching global security groups?

    I have to imagine there is a better way here and I just can’t wrap my head around it.

    Thanks in advance

    sb

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.